From 61ced82cb46bbb0bad294dbc36551d9ea47cab6e Mon Sep 17 00:00:00 2001
From: Sarah Jamie Lewis <sarah@openprivacy.ca>
Date: Wed, 16 Aug 2023 10:31:48 -0700
Subject: [PATCH 1/6] Restrict Ports when BINE_WHONIX is enabled.

---
 tor/torProvider.go | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/tor/torProvider.go b/tor/torProvider.go
index 47b6275..a1e2748 100644
--- a/tor/torProvider.go
+++ b/tor/torProvider.go
@@ -274,6 +274,10 @@ func (tp *torProvider) Listen(identity connectivity.PrivateKey, port int) (conne
 		if _, ferr := os.Stat("/usr/share/anon-ws-base-files/workstation"); !os.IsNotExist(ferr) {
 			localListener, err = net.Listen("tcp", "0.0.0.0:"+strconv.Itoa(localport))
 		}
+		// for whonix like systems we tightly restrict possible listen...
+		// pick a random port between 15300 and 15378
+		// cwtch = 63 *77 *74* 63* 68 = 1537844616
+		localport = 15300 + ((localport - 1024) % 78)
 	} else {
 		localListener, err = net.Listen("tcp", "127.0.0.1:"+strconv.Itoa(localport))
 	}
@@ -298,6 +302,7 @@ func (tp *torProvider) Listen(identity connectivity.PrivateKey, port int) (conne
 		return nil, err
 	}
 
+	os.ID = onion
 	os.CloseLocalListenerOnClose = true
 
 	ols := &onionListenService{os: os, tp: tp}

From c9ea1e44647032ab83fac931b133194d9497f2b1 Mon Sep 17 00:00:00 2001
From: Sarah Jamie Lewis <sarah@openprivacy.ca>
Date: Wed, 16 Aug 2023 10:33:12 -0700
Subject: [PATCH 2/6] Comment os.ID

---
 tor/torProvider.go | 1 +
 1 file changed, 1 insertion(+)

diff --git a/tor/torProvider.go b/tor/torProvider.go
index a1e2748..bdc65e2 100644
--- a/tor/torProvider.go
+++ b/tor/torProvider.go
@@ -302,6 +302,7 @@ func (tp *torProvider) Listen(identity connectivity.PrivateKey, port int) (conne
 		return nil, err
 	}
 
+	// We need to set os.ID here, otherwise os.Close() may not shut down the onion service properly...
 	os.ID = onion
 	os.CloseLocalListenerOnClose = true
 

From 2c9ec9d89462627c3c5d4976c386973958bf20e0 Mon Sep 17 00:00:00 2001
From: Sarah Jamie Lewis <sarah@openprivacy.ca>
Date: Wed, 16 Aug 2023 10:46:02 -0700
Subject: [PATCH 3/6] Clean up and seperate flags

---
 tor/torProvider.go | 19 ++++++++++++++-----
 1 file changed, 14 insertions(+), 5 deletions(-)

diff --git a/tor/torProvider.go b/tor/torProvider.go
index bdc65e2..35be9a6 100644
--- a/tor/torProvider.go
+++ b/tor/torProvider.go
@@ -270,14 +270,23 @@ func (tp *torProvider) Listen(identity connectivity.PrivateKey, port int) (conne
 
 	var localListener net.Listener
 	var err error
-	if bineWhonix := os.Getenv("BINE_WHONIX"); strings.ToLower(bineWhonix) == "true" {
-		if _, ferr := os.Stat("/usr/share/anon-ws-base-files/workstation"); !os.IsNotExist(ferr) {
-			localListener, err = net.Listen("tcp", "0.0.0.0:"+strconv.Itoa(localport))
-		}
+
+	if cwtchRestrictPorts := os.Getenv("CWTCH_RESTRICT_PORTS"); strings.ToLower(cwtchRestrictPorts) == "true" {
 		// for whonix like systems we tightly restrict possible listen...
 		// pick a random port between 15300 and 15378
 		// cwtch = 63 *77 *74* 63* 68 = 1537844616
-		localport = 15300 + ((localport - 1024) % 78)
+		log.Infof("using restricted ports, CWTCH_RESTRICT_PORTS=true");
+		localport = 15300 + (localport % 78)
+	}
+	
+	if bindExternal := os.Getenv("CWTCH_BIND_EXTERNAL_WHONIX"); strings.ToLower(bindExternal) == "true" {
+		if _, ferr := os.Stat("/usr/share/anon-ws-base-files/workstation"); !os.IsNotExist(ferr) {
+			log.Infof("WARNING: binding to external interfaces. This is potentially unsafe outside of a containerized environment.");
+			localListener, err = net.Listen("tcp", "0.0.0.0:"+strconv.Itoa(localport))
+		} else {
+			log.Errorf("CWTCH_BIND_EXTERNAL_WHONIX flag set, but /usr/share/anon-ws-base-files/workstation does not exist. Defaulting to binding to local ports");
+			localListener, err = net.Listen("tcp", "127.0.0.1:"+strconv.Itoa(localport))
+		}
 	} else {
 		localListener, err = net.Listen("tcp", "127.0.0.1:"+strconv.Itoa(localport))
 	}

From bbacb5539d837d8345bcceafae04eaa155942d4f Mon Sep 17 00:00:00 2001
From: Sarah Jamie Lewis <sarah@openprivacy.ca>
Date: Wed, 16 Aug 2023 10:49:25 -0700
Subject: [PATCH 4/6] Documentation

---
 README.md | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 25493c1..0a2d850 100644
--- a/README.md
+++ b/README.md
@@ -10,6 +10,8 @@ A library providing an ACN (Anonymous Communication Network
 ## Environment Variables
 
 - `TOR_LD_LIBRARY_PATH` - override the library path given to the Tor process as different from the one given to the parent process.
+- `CWTCH_RESTRICT_PORTS` - forces connectivity to bind to a subset of ports `15300-15378`
+- `CWTCH_BIND_EXTERNAL_WHONIX` - forces connectivity to bind to external interfaces (only supported/recommended on certain Whonix-based setups. Please open an issue if you think this should be expanded.)
 
 ## Requirements for ACN Support
 
@@ -54,4 +56,4 @@ service:
         acn.Restart()
 and
         
-        acn.Close()
\ No newline at end of file
+        acn.Close()

From 932f99fac82e5bd5964e8b818114ec5a74a27542 Mon Sep 17 00:00:00 2001
From: Sarah Jamie Lewis <sarah@openprivacy.ca>
Date: Wed, 16 Aug 2023 10:56:43 -0700
Subject: [PATCH 5/6] Expand Useable Ports...these apply to hosted servers
 too..

---
 tor/torProvider.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/tor/torProvider.go b/tor/torProvider.go
index 35be9a6..fbe5e3e 100644
--- a/tor/torProvider.go
+++ b/tor/torProvider.go
@@ -273,10 +273,10 @@ func (tp *torProvider) Listen(identity connectivity.PrivateKey, port int) (conne
 
 	if cwtchRestrictPorts := os.Getenv("CWTCH_RESTRICT_PORTS"); strings.ToLower(cwtchRestrictPorts) == "true" {
 		// for whonix like systems we tightly restrict possible listen...
-		// pick a random port between 15300 and 15378
+		// pick a random port between 15000 and 15378
 		// cwtch = 63 *77 *74* 63* 68 = 1537844616
 		log.Infof("using restricted ports, CWTCH_RESTRICT_PORTS=true");
-		localport = 15300 + (localport % 78)
+		localport = 15000 + (localport % 378)
 	}
 	
 	if bindExternal := os.Getenv("CWTCH_BIND_EXTERNAL_WHONIX"); strings.ToLower(bindExternal) == "true" {

From d8dd82d0659ed2debc8f4ca8283fe45f60363266 Mon Sep 17 00:00:00 2001
From: Sarah Jamie Lewis <sarah@openprivacy.ca>
Date: Wed, 16 Aug 2023 10:59:31 -0700
Subject: [PATCH 6/6] Update Docs

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 0a2d850..679f7e5 100644
--- a/README.md
+++ b/README.md
@@ -10,7 +10,7 @@ A library providing an ACN (Anonymous Communication Network
 ## Environment Variables
 
 - `TOR_LD_LIBRARY_PATH` - override the library path given to the Tor process as different from the one given to the parent process.
-- `CWTCH_RESTRICT_PORTS` - forces connectivity to bind to a subset of ports `15300-15378`
+- `CWTCH_RESTRICT_PORTS` - forces connectivity to bind to a subset of ports `15000-15378`
 - `CWTCH_BIND_EXTERNAL_WHONIX` - forces connectivity to bind to external interfaces (only supported/recommended on certain Whonix-based setups. Please open an issue if you think this should be expanded.)
 
 ## Requirements for ACN Support